Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware Doctor Can't Cure It


  • This topic is locked This topic is locked
13 replies to this topic

#1 Panta

Panta

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 05 July 2008 - 09:09 AM

Hi folks,

I have successfully eliminated Bagle (or at least I hope so), but there still are a few residues on my system that I'm not sure about.
I downloaded Spyware Doctor when I was infected, and it still finds 16 items. As you probably know it's not a free tool so it can't fix what it finds. I'm attaching a screeshot, and here's a HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15.56.08, on 05/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\a-squared Free\a2service.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\Ahead\ODD Toolkit\DVDTray.exe
C:\Programmi\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\File comuni\LightScribe\LSSrvc.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmi\Spyware Doctor\pctsAuxs.exe
C:\Programmi\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Programmi\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar3.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programmi\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar3.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DVDTray] C:\Programmi\Ahead\ODD Toolkit\DVDTray.exe
O4 - HKLM\..\Run: [ISTray] "C:\Programmi\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Aggiungi all'elenco di stampa Easy-WebPrint - res://C:\Programmi\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Anteprima Easy-WebPrint - res://C:\Programmi\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Stampa ad alta velocità Easy-WebPrint - res://C:\Programmi\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Stampa Easy-WebPrint - res://C:\Programmi\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{BC2469F7-DF95-4EC1-BAB5-5525DF2FF74D}: NameServer = 193.12.150.2 212.247.152.2
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Programmi\a-squared Free\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programmi\File comuni\LightScribe\LSSrvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Programmi\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Programmi\Spyware Doctor\pctsSvc.exe



I hope you can tell me how to fix this (the computer SEEMS to work fine anyways). Thanks a lot! :thumbsup:


Edit: I have already used the following: Spybot, A2, AVG, Ad-Aware, Spyware Blaster.

Attached Files


Edited by Panta, 05 July 2008 - 08:31 PM.


BC AdBot (Login to Remove)

 


m

#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:42 AM

Posted 11 July 2008 - 03:37 AM

Hello Panta,

Welcome to Bleeping Computer HijackThis forum. I am farbar. I am going to assist you with your problem. Please give me some time to look it over and I will get back to you as soon as possible.

#3 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:42 AM

Posted 11 July 2008 - 11:17 AM

Hi again,
  • Please download Malwarebytes' Anti-Malware from MajorGeeks
    • Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the entire report in your next reply.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  • Please download Deckard's System Scanner (DSS) and save to your Desktop.
    alternate download site

    DSS will do the following:
    • Create a new System Restore point in Windows XP and Vista.
    • Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
    • Check some important areas of your system and produce a report for an analyst to review.
    • Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.
    You must be logged onto an account with administrator privileges when using.
    • Close all applications and windows.
    • Double-click on dss.exe to run it and follow the prompts.
    • If your anti-virus or firewall complains, please allow this script to run as it is not
      malicious.
    • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
-- When running DSS, some firewalls may warn that it is trying to access the Internet especially if your asked to download the most current version of HijackThis. Please ensure that you allow it permission to do so.
-- If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.



#4 Panta

Panta
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 12 July 2008 - 07:03 AM

Hello farbar, thanks for your most appreciated help.

MBAM has found nothing wrong.

Here are the dss.exe logs:

Deckard's System Scanner v20071014.68
Run by Centrino on 2008-07-12 13:57:32
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 3 Restore Point(s) --
3: 2008-07-12 11:57:40 UTC - RP5 - Deckard's System Scanner Restore Point
2: 2008-07-07 17:34:44 UTC - RP4 - Punto di arresto del sistema
1: 2008-07-04 16:56:40 UTC - RP3 - Installed SUPERAntiSpyware Free Edition


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 496 MiB (512 MiB recommended).


-- HijackThis (run as Centrino.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13.58.39, on 12/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\a-squared Free\a2service.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programmi\File comuni\LightScribe\LSSrvc.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\Ahead\ODD Toolkit\DVDTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\Documents and Settings\Centrino\Desktop\dss.exe
C:\HJT\Centrino.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Programmi\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar3.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programmi\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar3.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DVDTray] C:\Programmi\Ahead\ODD Toolkit\DVDTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Aggiungi all'elenco di stampa Easy-WebPrint - res://C:\Programmi\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Anteprima Easy-WebPrint - res://C:\Programmi\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Stampa ad alta velocità Easy-WebPrint - res://C:\Programmi\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Stampa Easy-WebPrint - res://C:\Programmi\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Programmi\a-squared Free\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programmi\File comuni\LightScribe\LSSrvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Programmi\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Programmi\Spyware Doctor\pctsSvc.exe

--
End of file - 5510 bytes

-- HijackThis Fixed Entries (C:\HJT\backups\) ----------------------------------

backup-20060928-125323-161 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ssesso.it
backup-20060928-125323-858 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ssesso.it
backup-20060928-125323-253 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ssesso.it
backup-20060928-125323-890 O4 - HKLM\..\Run: [pwqn1.exe] C:\WINDOWS\Temp\pwqn1.exe
backup-20060928-125323-157 O23 - Service: LogIdl - Unknown owner - \\?\C:\Programmi\Windows NT\lpt3.exe (file missing)
backup-20061116-004125-305 O4 - HKLM\..\Run: [z] C:\z.exe
backup-20061119-124005-203 O23 - Service: Print Spooler Service (cjmpys41aeyl) - Unknown owner - C:\z.exe (file missing)
backup-20061119-124006-807 O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\WINDOWS\System32\irdvxc.exe" /service (file missing)
backup-20061119-124006-202 O23 - Service: Microsoft sdk core (sdk) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)
backup-20080705-150203-777 O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
backup-20080705-150322-979 O15 - Trusted Zone: *.whataboutadog.com
backup-20080705-150322-759 O15 - Trusted Zone: *.whataboutarabit.com
backup-20080705-150417-563 O23 - Service: is-ESKFE - Unknown owner - C:\Documents and Settings\All Users\Desktop\Kaspersky Lab Tool\is-ESKFE\is-ESKFE.exe" -r (file missing)

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 DKbFltr (Dritek HotKey Keyboard Filter Driver) - c:\windows\system32\drivers\dkbfltr.sys <Not Verified; Dritek System Inc.; Dritek MMKey>
R3 NTIDrvr (Upper Class Filter Driver) - c:\windows\system32\drivers\ntidrvr.sys <Not Verified; NewTech Infosystems, Inc.; >

S2 ADILOADER (General Purpose USB Driver (adildr.sys)) - c:\windows\system32\drivers\adildr.sys (file missing)
S2 NdisFilter - c:\windows\system32\drivers\ndisfilter.sys (file missing)
S3 adiusbaw (USB ADSL WAN Adapter) - c:\windows\system32\drivers\adiusbaw.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S4 is-ESKFE - "c:\documents and settings\all users\desktop\kaspersky lab tool\is-eskfe\is-eskfe.exe" -r (file missing)
S4 MSDisk (Network helper Service) - "c:\windows\system32\irdvxc.exe" /service (file missing)
S4 sdk (Microsoft sdk core) - "c:\windows\lsass.exe" (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\4400B47E23F37
Manufacturer: Microsoft
Name: 1394 Net Adapter #2
PNP Device ID: V1394\NIC1394\4400B47E23F37
Service: NIC1394

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Realtek RTL8139/810x Family Fast Ethernet NIC
Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_003D1025&REV_10\4&16793A72&0&08F0
Manufacturer: Realtek
Name: Realtek RTL8139/810x Family Fast Ethernet NIC
PNP Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_003D1025&REV_10\4&16793A72&0&08F0
Service: rtl8139

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel® PRO/Wireless LAN 2100 3B Mini PCI Adapter
Device ID: PCI\VEN_8086&DEV_1043&SUBSYS_25278086&REV_04\4&16793A72&0&10F0
Manufacturer: Intel® Corporation
Name: Intel® PRO/Wireless LAN 2100 3B Mini PCI Adapter
PNP Device ID: PCI\VEN_8086&DEV_1043&SUBSYS_25278086&REV_04\4&16793A72&0&10F0
Service: w70n51

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: LAN ATM emulata
Device ID: ROOT\MS_ATMELAN\0000
Manufacturer: Microsoft
Name: LAN ATM emulata(<nome ELAN non specificato>)
PNP Device ID: ROOT\MS_ATMELAN\0000
Service: AtmElan


-- Scheduled Tasks -------------------------------------------------------------

2008-07-12 13:58:20 402 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job


-- Files created between 2008-06-12 and 2008-07-12 -----------------------------

2008-07-12 13:51:31 0 d-------- C:\Programmi\Malwarebytes' Anti-Malware
2008-07-06 23:40:36 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-07-05 14:02:03 0 d-------- C:\Programmi\a-squared Free
2008-07-04 18:56:43 0 d-------- C:\Programmi\SUPERAntiSpyware
2008-07-04 18:55:55 0 d-------- C:\Programmi\File comuni\Wise Installation Wizard
2008-06-30 01:24:20 2188 --a------ C:\Documents and Settings\Centrino\fixbagle.BAT
2008-06-30 01:24:20 359062 --a------ C:\Documents and Settings\Centrino\FixAll.reg
2008-06-30 01:24:19 0 d-a------ C:\Documents and Settings\Centrino\SHARED
2008-06-30 01:21:00 0 d-------- C:\Programmi\Startup Manager
2008-06-29 01:00:47 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-28 19:34:08 0 d-------- C:\Programmi\Spyware Doctor


-- Find3M Report ---------------------------------------------------------------

2008-07-12 13:51:40 0 d-------- C:\Documents and Settings\Centrino\Dati applicazioni\Malwarebytes
2008-07-12 12:23:38 340290 --a------ C:\WINDOWS\system32\perfh010.dat
2008-07-12 12:23:38 46034 --a------ C:\WINDOWS\system32\perfc010.dat
2008-07-04 18:56:44 0 d-------- C:\Documents and Settings\Centrino\Dati applicazioni\SUPERAntiSpyware.com
2008-06-28 19:34:10 0 d-------- C:\Documents and Settings\Centrino\Dati applicazioni\PC Tools
2008-06-25 02:04:02 0 d-------- C:\Documents and Settings\Centrino\Dati applicazioni\Agelong Tree


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" []
"SoundMan"="SOUNDMAN.EXE" [20/06/2003 19.55 C:\WINDOWS\SOUNDMAN.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [23/06/2003 10.35 C:\WINDOWS\AGRSMMSG.exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [16/05/2008 01.19]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 11.50]
"DVDTray"="C:\Programmi\Ahead\ODD Toolkit\DVDTray.exe" [03/09/2004 10.58]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [19/08/2004 15.39]

C:\Documents and Settings\Centrino\Menu Avvio\Programmi\Esecuzione automatica\
Adobe Gamma.lnk - C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe [16/03/2005 20.16.50]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programmi\SUPERAntiSpyware\SASSEH.DLL [13/05/2008 10.13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Programmi\SUPERAntiSpyware\SASWINLO.dll 19/04/2007 13.41 294912 C:\Programmi\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
"drvsyskit"=C:\WINDOWS\system32\drivers\hldrrr.exe




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8800 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-07-12 13:59:33 ------------


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: Italian

CPU 0: Intel® Pentium® M processor 1300MHz
Percentage of Memory in Use: 53%
Physical Memory (total/avail): 495.48 MiB / 231.01 MiB
Pagefile Memory (total/avail): 1157.84 MiB / 910.49 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1944.82 MiB

C: is Fixed (FAT32) - 18.16 GiB total, 4.75 GiB free.
D: is Fixed (FAT32) - 9.76 GiB total, 5.32 GiB free.
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - TOSHIBA MK3021GAS - 27.95 GiB - 3 partitions
\PARTITION0 (bootable) - Unknown - 18.17 GiB - C:
\PARTITION1 - Unknown - 9.77 GiB - D:
\PARTITION2 - Unknown - 7.84 MiB



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is enabled.

UpdatesDisableNotify is set.

AV: avast! antivirus 4.8.1201 [VPS 080712-0] v4.8.1201 (ALWIL Software)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Programmi\\MSN Messenger\\msncall.exe"="C:\\Programmi\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Programmi\\MSN Messenger\\msnmsgr.exe"="C:\\Programmi\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Programmi\\MSN Messenger\\livecall.exe"="C:\\Programmi\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Programmi\\MSN Messenger\\msncall.exe"="C:\\Programmi\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Programmi\\eMule0.47a\\emule.exe"="C:\\Programmi\\eMule0.47a\\emule.exe:*:Enabled:eMule"
"C:\\Programmi\\Internet Explorer\\IEXPLORE.EXE"="C:\\Programmi\\Internet Explorer\\IEXPLORE.EXE:*:Disabled:Internet Explorer"
"C:\\Programmi\\MSN Messenger\\msnmsgr.exe"="C:\\Programmi\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Programmi\\MSN Messenger\\livecall.exe"="C:\\Programmi\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Programmi\\eMule\\emule.exe"="C:\\Programmi\\eMule\\emule.exe:*:Enabled:eMule"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Centrino\Dati applicazioni
CommonProgramFiles=C:\Programmi\File comuni
COMPUTERNAME=ACER-8RISFO6APT
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Centrino
LOGONSERVER=\\ACER-8RISFO6APT
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Programmi\File comuni\Adobe\AGL
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 9 Stepping 5, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0905
ProgramFiles=C:\Programmi
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Centrino\IMPOST~1\Temp
TMP=C:\DOCUME~1\Centrino\IMPOST~1\Temp
USERDOMAIN=ACER-8RISFO6APT
USERNAME=Centrino
USERPROFILE=C:\Documents and Settings\Centrino
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Centrino (admin)
VCxjNlRJKni (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Programmi\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\Programmi\File comuni\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -f"C:\Programmi\Acer Inc.\Acer Italian Guide Link\Uninst.isu"
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
a-squared Free 3.5 --> "C:\Programmi\a-squared Free\unins000.exe"
AC3Filter (remove only) --> C:\Programmi\AC3Filter\uninstall.exe
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUN0410.EXE -f"C:\Programmi\File comuni\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Programmi\File comuni\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-6884-0000-0000-000000000101}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5102}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-551D-4478-9682-DBB587257110}
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0410-1E257A25E34D}
Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-1437-443D-B06E-79A00FE45110}
Agere Systems AC'97 Modem --> agrsmdel
Aggiornamento della protezione per Windows XP (KB893756) --> "C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB896358) --> "C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB896423) --> "C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB896424) --> "C:\WINDOWS\$NtUninstallKB896424$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB896428) --> "C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB899587) --> "C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB899588) --> "C:\WINDOWS\$NtUninstallKB899588$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB899591) --> "C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB900725) --> "C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB901017) --> "C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB901214) --> "C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB902400) --> "C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB904706) --> "C:\WINDOWS\$NtUninstallKB904706$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB905414) --> "C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB905749) --> "C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB908519) --> "C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB911562) --> "C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB911567) --> "C:\WINDOWS\$NtUninstallKB911567$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB911927) --> "C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB912919) --> "C:\WINDOWS\$NtUninstallKB912919$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB913580) --> "C:\WINDOWS\$NtUninstallKB913580$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB914388) --> "C:\WINDOWS\$NtUninstallKB914388$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB914389) --> "C:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB917344) --> "C:\WINDOWS\$NtUninstallKB917344$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB917422) --> "C:\WINDOWS\$NtUninstallKB917422$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB917953) --> "C:\WINDOWS\$NtUninstallKB917953$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB918439) --> "C:\WINDOWS\$NtUninstallKB918439$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB919007) --> "C:\WINDOWS\$NtUninstallKB919007$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB920213) --> "C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB920214) --> "C:\WINDOWS\$NtUninstallKB920214$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB920670) --> "C:\WINDOWS\$NtUninstallKB920670$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB920683) --> "C:\WINDOWS\$NtUninstallKB920683$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB920685) --> "C:\WINDOWS\$NtUninstallKB920685$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB921398) --> "C:\WINDOWS\$NtUninstallKB921398$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB922616) --> "C:\WINDOWS\$NtUninstallKB922616$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB922760) --> "C:\WINDOWS\$NtUninstallKB922760$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB922819) --> "C:\WINDOWS\$NtUninstallKB922819$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB923191) --> "C:\WINDOWS\$NtUninstallKB923191$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB923414) --> "C:\WINDOWS\$NtUninstallKB923414$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB923789) --> C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Aggiornamento della protezione per Windows XP (KB923980) --> "C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB924191) --> "C:\WINDOWS\$NtUninstallKB924191$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB924270) --> "C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB924496) --> "C:\WINDOWS\$NtUninstallKB924496$\spuninst\spuninst.exe"
Aggiornamento della protezione per Windows XP (KB925486) --> "C:\WINDOWS\$NtUninstallKB925486$\spuninst\spuninst.exe"
Aggiornamento per Windows XP (KB894391) --> "C:\WINDOWS\$NtUninstallKB894391$\spuninst\spuninst.exe"
Aggiornamento per Windows XP (KB898461) --> "C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Aggiornamento per Windows XP (KB900485) --> "C:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe"
Aggiornamento per Windows XP (KB908531) --> "C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe"
Aggiornamento per Windows XP (KB910437) --> "C:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe"
Aggiornamento per Windows XP (KB911280) --> "C:\WINDOWS\$NtUninstallKB911280$\spuninst\spuninst.exe"
Aggiornamento per Windows XP (KB916595) --> "C:\WINDOWS\$NtUninstallKB916595$\spuninst\spuninst.exe"
Aggiornamento per Windows XP (KB920872) --> "C:\WINDOWS\$NtUninstallKB920872$\spuninst\spuninst.exe"
Aggiornamento per Windows XP (KB922582) --> "C:\WINDOWS\$NtUninstallKB922582$\spuninst\spuninst.exe"
Aggiornamento rapido per Windows XP - KB873339 --> C:\WINDOWS\$NtUninstallKB873339$\spuninst\spuninst.exe
Aggiornamento rapido per Windows XP - KB885835 --> C:\WINDOWS\$NtUninstallKB885835$\spuninst\spuninst.exe
Aggiornamento rapido per Windows XP - KB885836 --> C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe
Aggiornamento rapido per Windows XP - KB885884 --> C:\WINDOWS\$NtUninstallKB885884$\spuninst\spuninst.exe
Aggiornamento rapido per Windows XP - KB886185 --> C:\WINDOWS\$NtUninstallKB886185$\spuninst\spuninst.exe
Aggiornamento rapido per Windows XP - KB887472 --> C:\WINDOWS\$NtUninstallKB887472$\spuninst\spuninst.exe
Aggiornamento rapido per Windows XP - KB888302 --> C:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe
Aggiornamento rapido per Windows XP - KB890859 --> "C:\WINDOWS\$NtUninstallKB890859$\spuninst\spuninst.exe"
Aggiornamento rapido per Windows XP - KB891781 --> C:\WINDOWS\$NtUninstallKB891781$\spuninst\spuninst.exe
ALPS Touch Pad Driver --> RunDll32 C:\PROGRA~1\FILECO~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Programmi\InstallShield Installation Information\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}\setup.exe" UNINSTALL
ArcSoft PhotoStudio 5.5 --> RunDll32 C:\PROGRA~1\FILECO~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Programmi\InstallShield Installation Information\{85309D89-7BE9-4094-BB17-24999C6118FC}\SETUP.EXE" -l0x10
avast! Antivirus --> C:\Programmi\Alwil Software\Avast4\aswRunDll.exe "C:\Programmi\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
AVG Anti-Spyware 7.5 --> C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
Canon Digital Camera USB WIA Driver --> C:\WINDOWS\IsUn0410.exe -f"C:\Programmi\Canon\DC USB WIA\Uninst.isu" -c"C:\Programmi\Canon\DC USB WIA\SetupWia.dll"
Canon MP Navigator 3.0 --> "C:\Programmi\Canon\MP Navigator 3.0\Maint.exe" /UninstallRemove C:\Programmi\Canon\MP Navigator 3.0\uninst.ini
Canon MP160 --> "C:\WINDOWS\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP160\DelDrv.exe" /U:{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP160 /L0x0010
Canon Utilities Easy-PhotoPrint --> C:\Programmi\Canon\Easy-PhotoPrint\uninst.exe uninst.ini
CCleaner (remove only) --> "C:\Programmi\CCleaner\uninst.exe"
dBpowerAMP Music Converter --> "C:\WINDOWS\system32\SpoonUninstall.exe" <uninstall>C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP Music Converter.dat
DivX Codec --> C:\Programmi\DivX\DivXCodecUninstall.exe /CODEC
DivX Player --> C:\Programmi\DivX\DivXPlayerUninstall.exe /PLAYER
DVD Shrink 3.2 --> "C:\Programmi\DVD Shrink\unins000.exe"
Easy-WebPrint --> C:\WINDOWS\IsUn0410.exe -fC:\Programmi\Canon\Easy-WebPrint\Uninst.isu
eMule --> "C:\Programmi\eMule\Uninstall.exe"
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\programmi\google\googletoolbar3.dll"
HijackThis 2.0.2 --> "C:\Documents and Settings\Centrino\Desktop\Nuova cartella\HijackThis.exe" /uninstall
Indeo® Software --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Ligos\Indeo\Uninst.isu" -c"C:\Program Files\Ligos\Indeo\Indeo System Files\indounin.dll"
Intel® Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_3582
J2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Launch Manager --> C:\WINDOWS\UnInst32.exe CPLBCL53.UNI
LiveReg (Symantec Corporation) --> C:\Programmi\File comuni\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
LiveUpdate 1.80 (Symantec Corporation) --> C:\Programmi\Symantec\LiveUpdate\LSETUP.EXE /U
MAGIX Media Manager silver --> C:\MAGIX\Media_Manager\instslct.exe
MAGIX music studio 2004 deLuxe --> C:\MAGIX\ms2004_deLuxe\instslct.exe
Malwarebytes' Anti-Malware --> "C:\Programmi\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Office XP Professional con FrontPage --> MsiExec.exe /I{90280410-6000-11D3-8CFE-0050048383C9}
Microsoft Publisher 2002 --> MsiExec.exe /I{90190410-6000-11D3-8CFE-0050048383C9}
Microsoft Windows Journal Viewer --> MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA7}
Musicmatch® Jukebox --> RunDll32 C:\PROGRA~1\FILECO~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Programmi\InstallShield Installation Information\{8EF1122E-E90C-4EE9-AB0C-7FDE2BA42C26}\setup.exe" -l0x9 -uninst
Nero Suite --> C:\Programmi\File comuni\Nero\Uninstall\Setupx.exe /uninstall ExtraUninstallID=""
NTI CD & DVD-Maker 6 Gold --> C:\PROGRA~1\FILECO~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{C438B7C4-B4F8-49C5-A4DF-FF6F1F242778} /l1040 AnyText
Panda ActiveScan --> C:\WINDOWS\System32\ASUninst.exe Panda ActiveScan
Philips GoGear HDD Device Manager --> C:\PROGRA~1\FILECO~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe /M{B184A2F7-3EC8-4B86-8412-27E0D53BA535} /l1040
PowerDVD --> RunDll32 C:\PROGRA~1\FILECO~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Programmi\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
RealPlayer --> C:\Programmi\File comuni\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\FILECO~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Programmi\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
Registrazione utente Canon MP160 --> C:\Programmi\Canon\IJEREG\MP160\UNINST.EXE
ScanSoft OmniPage SE 4.0 --> MsiExec.exe /I{29D851C2-048C-4B5E-8D1F-25D473342BB5}
SpeedTouch USB Software --> RunDll32 C:\PROGRA~1\FILECO~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Programmi\InstallShield Installation Information\{D41FAAA9-8048-4906-86B2-9AADEA1FA0B7}\Setup.exe" /l0010 -Control_Panel
Spybot - Search & Destroy --> "C:\Programmi\Spybot - Search & Destroy\unins001.exe"
Spyware Doctor 6.0 --> C:\Programmi\Spyware Doctor\unins000.exe /LOG
Startup Manager 2.4.1 --> "C:\Programmi\Startup Manager\unins000.exe"
Steinberg Cubase SX --> C:\PROGRA~1\STEINB~1\CUBASE~1\UNINST~1.EXE C:\PROGRA~1\STEINB~1\CUBASE~1\Install.log
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
TravelMate 290 --> C:\Programmi\TravelMate 290\uninstall.exe
Windows Live Messenger --> MsiExec.exe /I{A511414C-4846-4630-8AC0-B156D8CB1FC0}
WinRAR gestione archivi --> C:\Programmi\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type7145 / Error
Event Submitted/Written: 07/04/2008 08:10:17 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Applicazione in stallo iexplore.exe, versione 6.0.2900.2180, modulo in stallo hungapp, versione 0.0.0.0, indirizzo stallo 0x00000000.

Event Record #/Type7125 / Warning
Event Submitted/Written: 07/03/2008 00:01:41 PM
Event ID/Source: 1 / LightScribeService
Event Description:
Win32 Error : Function: [HurricaneClientProxy::OpenCDROMDevice] Error opening class device \\.\CDROM0 returned Win32 Error: 1006 Description: Il volume corrispondente al file è stato alterato dall'esterno. Il file aperto non è più valido.

Event Record #/Type7118 / Error
Event Submitted/Written: 07/01/2008 03:31:15 PM
Event ID/Source: 1000 / Microsoft Office 10
Event Description:
Faulting application winword.exe, version 10.0.5522.0, faulting module msgrit32.dll, version 3.0.0.29, fault address 0x000511f9.

Event Record #/Type7117 / Warning
Event Submitted/Written: 07/01/2008 03:27:58 PM
Event ID/Source: 1 / LightScribeService
Event Description:
Win32 Error : Function: [HurricaneClientProxy::OpenCDROMDevice] Error opening class device \\.\CDROM0 returned Win32 Error: 1006 Description: Il volume corrispondente al file è stato alterato dall'esterno. Il file aperto non è più valido.

Event Record #/Type7114 / Warning
Event Submitted/Written: 06/30/2008 11:22:46 PM
Event ID/Source: 1 / LightScribeService
Event Description:
Win32 Error : Function: [HurricaneClientProxy::OpenCDROMDevice] Error opening class device \\.\CDROM0 returned Win32 Error: 1006 Description: Il volume corrispondente al file è stato alterato dall'esterno. Il file aperto non è più valido.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type76795 / Error
Event Submitted/Written: 07/12/2008 00:19:30 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
Il servizio Nsynas32 non è stato avviato per il seguente errore:
%%2

Event Record #/Type76794 / Error
Event Submitted/Written: 07/12/2008 00:19:30 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
Il servizio General Purpose USB Driver (adildr.sys) non è stato avviato per il seguente errore:
%%2

Event Record #/Type76765 / Error
Event Submitted/Written: 07/11/2008 10:15:25 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
Il servizio Nsynas32 non è stato avviato per il seguente errore:
%%2

Event Record #/Type76764 / Error
Event Submitted/Written: 07/11/2008 10:15:25 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
Il servizio General Purpose USB Driver (adildr.sys) non è stato avviato per il seguente errore:
%%2

Event Record #/Type76759 / Error
Event Submitted/Written: 07/11/2008 08:12:00 PM
Event ID/Source: 7 / Cdrom
Event Description:
Rilevato blocco danneggiato sulla periferica \Device\CdRom1.



-- End of Deckard's System Scanner: finished at 2008-07-12 13:59:33 ------------


Have a great week-end, and let me know what to do next.
:thumbsup:

#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:42 AM

Posted 12 July 2008 - 11:31 AM

Hi Panta,

There is no sign of infection on your logs. Just a few things:

:)
One or more of the removed infections is a backdoor trojan.

A backdoor Trojan can allow an attacker to gain control of the system, log keystrokes, steal passwords, access personal data, send malevolent outgoing traffic, and close the security warning messages displayed by some anti-virus and security programs.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been removed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the Operating System. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall
If you feel no need to reinstall please move on to the next steps.

:)
Your log(s) show that you are using so called peer-to-peer or file-sharing programs (in your case Emule). These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

:thumbsup:
  • Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below (if present):

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

    Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

  • Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete the files in bold (if present):

    C:\WINDOWS\system32\perfh010.dat
    C:\WINDOWS\system32\perfc010.dat

  • Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 7...allows end-users to run Java applications".
    • Click the "Download" button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Click on the link to download Windows Offline Installation and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u7-windows-i586-p.exe to install the newest version.
  • When you clean your PC there might be some registry leftovers. Most of the time they are harmless. In this case a few of them are the removed entries with Hijackthis. To delete the HJT backup:
    • Open HijackThis, and click on "View the list of Backups".
    • Place a check mark next to everything in that window.
    • Click Delete, then click Yes
    • More information can be found here.
  • To delete those registry items identified by Spyware doctor you can download a free Spyware doctor starter edition from http://www.Majorgeeks.com.

    Install it, update and then run a full/complete scan and then let it remove/quarantine what it finds. I recommend you to turn the real time protection off and use it as on demand scanner, meaning running it when you want to scan your PC and turn it off when you are finished with scanning and removing the malware.

  • Please copy and paste a fresh Hijackthis log to your reply and tell how the things are now.


#6 Panta

Panta
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 12 July 2008 - 05:57 PM

Alrighty, I did everything you said:

- What is the backdoor you're referring to? Any idea when it was removed?

- The about:blank line was there, and I removed it. The same goes for the two perf files; note that there are more of these in the same folder, is that ok?

- I have updated Java.

- I have removed HJT backups.

- I have run a starter version of Spyware Doctor and it did fix those things in the registry.

Everything works fine so far, here's the log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 0.49.44, on 13/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programmi\File comuni\LightScribe\LSSrvc.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\Ahead\ODD Toolkit\DVDTray.exe
C:\Programmi\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Programmi\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar3.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programmi\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar3.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DVDTray] C:\Programmi\Ahead\ODD Toolkit\DVDTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Aggiungi all'elenco di stampa Easy-WebPrint - res://C:\Programmi\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Anteprima Easy-WebPrint - res://C:\Programmi\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Stampa ad alta velocità Easy-WebPrint - res://C:\Programmi\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Stampa Easy-WebPrint - res://C:\Programmi\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programmi\File comuni\LightScribe\LSSrvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Programmi\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Programmi\Spyware Doctor\swdsvc.exe

--
End of file - 5392 bytes


One last thing: I've been advised to stop using avast. Would you agree? I've been told avira is better, but I've never had any problems with avast.

Thanks :thumbsup:

#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:42 AM

Posted 13 July 2008 - 05:31 AM

Hi Panta,

- What is the backdoor you're referring to? Any idea when it was removed?


backup-20060928-125323-157 O23 - Service: LogIdl - Unknown owner - \\?\C:\Programmi\Windows NT\lpt3.exe (file missing)
backup-20061119-124006-202 O23 - Service: Microsoft sdk core (sdk) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)

As you see the backdoors startup entries are removed on the dates mentioned. There is no way to know if your PC was clean after. I posted the warning anyway to inform you about the implications of being infected by a backdoor.


One last thing: I've been advised to stop using avast. Would you agree? I've been told avira is better, but I've never had any problems with avast.


I have really no idea which one is better.


... The same goes for the two perf files; note that there are more of these in the same folder, is that ok?


They might be valid and remade again. In particular perfh010.dat could be also made by a keylogger. More information her: http://www.sophos.com

To make sure please follow the following steps:
  • Click on this link--> virustotal

    Click the browse button and navigate to the file below in bold, then click Send File.

    C:\WINDOWS\system32\NeroCheck.exe

    Please copy and paste the results of the scan in your next post. If the file is clean just mentioning it suffices.

  • Download Find File Information (scroll down the page) and save it to your desktop.
    • Double-click on FileInfo.vbs to start and follow the prompts.
    • When you see a prompt like this "Enter drive letter to search (letter only)", enter an asterisk (*) and click OK.
    • In the next window, enter:
      mdss32
    • Click OK. A text file named searched.txt will open and automatically be saved in the root of your C:\ directory.
    • Please copy/paste the information from searched.txt in your next reply.
    Note: If you have a script blocking program you may get a warning asking if you want to allow the script to run. Some will say "malicious script warning" or something to that effect. There is nothing malicious about this script, you can click to allow it to execute.

  • Please run the F-Secure Online Scanner
    Note: This Scanner is for Internet Explorer Only!
    Follow the Instruction here for installation.
    Accept the License Agreement.
    Once the ActiveX installs,Click Full System Scan
    Once the download completes, the scan will begin automatically.
    The scan will take some time to finish, so please be patient.
    When the scan completes, click the Automatic cleaning (recommended) button.
    Click the Show Report button and Copy&Paste the entire report in your next reply.


#8 Panta

Panta
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 13 July 2008 - 08:31 AM

Hello :thumbsup:

Ok, so that old infection is from 2006, I guess it's gone for good now.

NeroCheck.exe is clean.

mdss32 was not found.

F-Secure only found one tracking cookie. Anyway here's the log:

Result: 1 malware found
Tracking Cookie (spyware)
System

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 33566
System: 3739
Not scanned: 7
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 1
Submitted: 0
Files not scanned:
C:\PAGEFILE.SYS
C:\HIBERFIL.SYS
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 2.30.0
F-Secure Hydra: 2.8.8110, 2008-07-13
F-Secure AVP: 7.0.171, 2008-07-13
F-Secure Pegasus: 1.20.0, 2008-04-15
F-Secure Blacklight: 1.0.68
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics


What next?

#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:42 AM

Posted 13 July 2008 - 10:16 AM

Hi Panta,

So that one is also checked and everything looks good. But I want to remind you that your computer is still very much susceptible to reinfection. I strongly advise you to install a firewall before surfing. You find more information on this below.

In order to reduce the possible infection in the future, you may follow the following steps:
  • First Set a New Restore Point then Remove the Old Restore Points to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

    To set a new restore point:
    • Go to Start > Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
    To remove the old restore points:
    • Go to Start > Run then type: Cleanmgr in the box and click "OK".
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
  • Sometimes the Privacy, Security and Web settings are altered by the malware. Check and if needed reset them to default:
    • Open Internet explorer > Tools menu > Internet options.
    • Under privacy tab press default.
    • Under security tab press default.
    • Under Programs tab press Reset Web Settings and click OK.
  • Update your Anti Virus and Antispyware Software definitions and run the programs on a regular basis.

  • Use a firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly.
    Click for more information on:Understanding and Using Firewalls

  • Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office.
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC. Windows XP Service Pack 2 is now outdated. Microsoft has recently released Service Pack 3 which has more features and is more secure than Service Pack 2. You may update your Windows via Windows update.

  • Install Javacools© SpywareBlaster -
    SpywareBlaster will added a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs. You can find more information and a download link here.


#10 Panta

Panta
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 13 July 2008 - 11:13 AM

Groovy :thumbsup:

1: Done.

2: Done. They were already ok I think.

3: I do that more than regularly.

4: I use Windows Firewall. Is it good enough?

5: I'll upgrade to SP3 shortly.

6: I already have it.


Thank you very much for your help. :)

#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:42 AM

Posted 13 July 2008 - 12:42 PM

The Windows firewall is not good enough. There are several good free programs available like:
Sunbelt-Kerio
Comodo Firewall Pro
Online Armor Free edition

And you are welcome Panta, glad we could help.

#12 Panta

Panta
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 14 July 2008 - 07:14 AM

I have installed Online Armor. Anyway I can't seem to be able to switch Windows Firewall off completely. Since WF itself advises me not to run 2 firewalls at the same time, I was wondering if there is any real risk of conflict or if I can keep them both running.

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:42 AM

Posted 14 July 2008 - 07:52 AM

Good move. You can either disable WF or keep them both.

Have a nice day.

#14 Panta

Panta
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 14 July 2008 - 07:55 AM

Awesome. Thanks again for your help :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users